Umbraco CMS local file inclusion

Description

Umbraco CMS versions using vulnerable ClientDependency packages contain a local file inclusion (LFI) vulnerability in the default installation. The ClientDependency framework exposes a publicly accessible handler at 'DependencyHandler.axd' that processes base64-encoded file paths for CSS and JavaScript resource combination and minification. Due to insufficient input validation, attackers can manipulate these encoded parameters to access arbitrary files on the server's filesystem, bypassing intended access restrictions.

Remediation

Immediately update the ClientDependency package to the latest patched version as specified in the Umbraco security advisory. To remediate this vulnerability:

1. Identify your current ClientDependency version by checking your project's package references or the NuGet packages configuration
2. Update to the fixed version using NuGet Package Manager or by running:

Update-Package ClientDependency

3. Clear the application cache and restart the application pool to ensure the updated package is loaded
4. Verify the fix by testing that 'DependencyHandler.axd' no longer accepts arbitrary file paths
5. Review web server logs for any suspicious access patterns to 'DependencyHandler.axd' that may indicate prior exploitation

If immediate patching is not possible, consider temporarily restricting access to 'DependencyHandler.axd' through web server configuration or web application firewall rules until the update can be applied.

References

Related Vulnerabilities